Oracle Cloud Infrastructure Documentation

New Features and Changes in UEK R7U3

New features, enhancements, and other notable changes that are introduced in UEK R7U3.

Kernel Version

UEK R7U3 is initially released with version 5.15.0-300.163.18 of the kernel.

(aarch64) 64k Base Page Size on Arm

In addition to the standard build of UEK for Arm (aarch64), which sets a base 4k page size, a kernel-uek64k package that sets a 64k base page size is available for Ampere Arm-based Compute shapes in Oracle Cloud Infrastructure only. For use cases other than OCI, the kernel-uek64 package is available only as a technical preview.

The 64k page size kernel is a useful option for Ampere (Arm-based) platforms that process workloads with large, contiguous memory datasets, and can achieve better performance for some types of memory and CPU intensive operations.

The 4k page size kernel is useful for smaller environments, where minimizing physical system memory usage is a priority.

Note that the 4k page size kernel and 64k page size kernel don't differ in user experience as the user space is the same.

After a system is installed with kernel-uek64k switching to a 4k kernel page size is unsupported.

Installing kernel-uek64k

Note

The only page size on NVIDIA Grace compute shapes is set to 64k by default. You can optionally change from the 4k default page size to the 64k page size on Ampere shapes.
Note

Installation of kernel-uek64k on systems outside of Oracle Cloud Infrastructure (OCI) is only available as a technical preview. Don't install this kernel on production systems outside of OCI.

To install the kernel-uek64k on a system installed with the standard 4k page size kernel-uek:

  1. Install the kernel-uek64k package. 
    sudo dnf install -y kernel-uek64k
  2. Set the 64k page size kernel as the default kernel. 
    sudo grubby --set-default=$(echo /boot/vmlinuz*64k)

    Note that if you have more than one 64k page kernel installed, you must explicitly declare the kernel that you intend to be the default. For example:

    sudo grubby --set-default=/boot/vmlinuz-5.15.0-306.177.4.1.el9uek.aarch64.64k
  3. Reboot the system. 
    sudo reboot
  4. After the system is rebooted, verify that the page size is 64k. 
    getconf PAGESIZE

    If the PAGESIZE returns 65536, the 64k kernel is loaded. If the PAGESIZE returns 4096, the 4k kernel is loaded and you must check that the default kernel is set correctly.

    You can also check that the running kernel contains the 64k string, for example:

    uname -a|grep 64k
  5. If the system is running the 64k kernel, proceed to remove the 4k page size kernel packages to avoid future conflicts. 
    sudo dnf erase kernel-uek-core

TLS Encrypted Connections for NFS

RPC-With-TLS is enabled in the Linux NFS server and client. This update provides a standards-based peer authentication mechanism over an encrypted connection using TLS. The TLS Record protocol is handled entirely by kTLS.

Note that both the server and client systems must run UEK R7U3 or later, or must be running a kernel and user space client that supports RFC 9289, to use this functionality. The user space package, ktls-utils, is also required and must be installed on both the client and server systems. Also ensure that you have installed the most recent version of the nfs-utils package or that you have done a full system update.

RPC-With-TLS is contributed upstream by Oracle and is described in RFC 9289.

TIOCSTI Hardening Option

TIOCSTI is an ioctl system call in the Linux kernel that lets a process simulate terminal input by pushing characters into the input queue for a controlling TTY. This legacy mechanism can be abused for malicious purposes. We recommend always disabling it on systems running Oracle Linux.

Harden a system by disabling TIOCSTI. Set the value of the sysfs parameter dev.tty.legacy_tiocsti to 0. For example, run:

echo "dev.tty.legacy_tiocsti = 0" | sudo tee -a /etc/sysctl.d/50-tiocsti.conf
sudo sysctl -p /etc/sysctl.d/50-tiocsti.conf
Note

Processes that run with CAP_SYS_ADMIN, such as BRLTTY, can use TIOCSTI even when this functionality is disabled.

BPF-LSM Enabled at Boot

BPF-LSM, the ability to attach Berkeley Packet Filter (BPF) programs to Linux Security Module (LSM) hooks to implement some security enhancements, is enabled in all UEK R7 kernel configurations, however it previously required setting the lsm=bpf boot command line option to use the feature.

In this release, bpf is added to CONFIG_LSM so that it doesn't need to be manually enabled at boot.

You can check that BPF is added to LSM by running:

cat /sys/kernel/security/lsm
Note

This feature was enabled in a UEK R7U3 errata release and is available in kernel-uek-5.15.0-315.196.5 and later.

Updated Drivers

In close cooperation with hardware and storage vendors, Oracle has updated several device drivers from the versions in mainline Linux 5.15.0.

Many driver modules no longer track version information. Oracle works with vendors to align device drivers included in UEK R7U3 with the code available in upstream kernel versions.

Notable driver updates are presented in the following table:

Driver Alignment
Driver Module Driver Description Aligned Kernel Version Notable Updates

mlx5

NVIDIA 5th Generation Network Adapters (NVIDIA ConnectX series) Core Driver

6.7

N/A

lpfc

Broadcom Emulex Fibre Channel HBA Driver

6.9

N/A

qla2xxx

Marvell QLogic Fibre Channel HBA Driver

6.10

N/A

mpt3sas

Broadcom (formerly LSI) MPT Fusion SAS 3.0 Device Driver

6.9

N/A

megaraid_sas

Broadcom MegaRAID SAS Driver

6.9

N/A

mpi3mr

Broadcom MPI3 Storage Controller Device Driver

6.10

N/A

smartpqi

Microchip Smart Family Controller Driver

6.9

N/A

bnxt_en

Broadcom BCM573xx Network Driver

6.8

The driver now includes patches to work with the latest BCM57608 chip.

mana

Microsoft Azure Network Adapter

6.10

N/A

Deprecated and Removed Features

The following features are deprecated or no longer available in: UEK R7U3:

  • Unrestricted access to the kernel ring buffer is deprecated.

    Unprivileged access to the kernel ring buffer through the dmesg command output is deprecated and will be removed in a future release of UEK. Use the sudo command to escalate to administrator privileges when running the dmesg command. To restrict access to the kernel ring buffer, set the kernel.dmesg_restrict sysfs parameter to 1.

  • CONFIG_SECURITY_SELINUX_DISABLE and CONFIG_SECURITY_WRITABLE_HOOKS options for disabling SELinux at runtime

    The SELinux file system (selinuxfs) /sys/fs/selinux/disable node lets you disable SELinux at runtime before a policy is loaded into the kernel. If disabled using this mechanism, SELinux remains disabled until the system is rebooted.

    The option to disable SELinux at runtime makes it difficult to secure the kernel's LSM hooks using the "__ro_after_init" feature. Therefore, these options are deprecated in this UEK release.

    The preferred method of disabling SELinux is by using the selinux=0 boot parameter

  • CONFIG_CRYPTO_OFB and CONFIG_CRYPTO_CFB cryptographic modes

    The CFB (Cipher Feedback) mode (NIST SP800-38A) used for TPM2 cryptography and the OFB (Output Feedback) mode (NIST SP800-38A) used to turn a block cipher into a synchronous stream cipher are deprecated in this UEK release, and might be removed from the kernel in a future UEK release.

  • CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_DES option for 3DES/DES3 RPCSEC GSS encryption types

    The RPCSEC GSS encryption types DES and Triple-DES (3DES/DES3) are deprecated in this UEK release, and might be removed from the kernel in a future UEK release.

    These encryption types were deprecated by RFCs 6649 and 8429 because they're known to be insecure.

  • CONFIG_NFS_V2 and CONFIG_NFSD_V2 options for NFSv2 client and server

    Support for NFSv2 clients and NFSv2 servers is deprecated in this UEK release, and might be removed from the kernel in a future UEK release.

    NFSv2 has long been replaced by NFSv3 and NFSv4, which offer improved functionality, performance, and security.

  • CONFIG_NFS_DISABLE_UDP_SUPPORT option for NFSv3 over UDP

    Support for NFS version 3 over the UDP network protocol is deprecated in this UEK release, and might be removed from the kernel in a future UEK release.

    Modern NFS/RPC over TCP and RDMA implementations provide better performance than UDP, and provide reliable ordered delivery of data combined with congestion control.

    Note that NFSv4 is already not supported over UDP, for the same reasons.

  • CONFIG_STAGING option

    With the CONFIG_STAGING kernel configuration option, you can select drivers that don't necessarily meet the highest kernel quality level but are merely made available for test use. However, the kernel option CONFIG_STAGING is deprecated in this UEK release and might be removed in a future release.

  • CONFIG_IXGB option

    The CONFIG_IXGB for Intel PRO/10GbE hardware is deprecated and might be removed from the kernel in a future UEK release.

  • CONFIG_IP_NF_TARGET_CLUSTERIP option

    The CONFIG_IP_NF_TARGET_CLUSTERIP option that allowed you to build load-balancing clusters of network servers without a dedicated load-balancing router or switch is deprecated in favor of functionality already in Netfilter cluster match.

  • CONFIG_EFI_VARS option

    The CONFIG_EFI_VARS option that provided the efivars sysfs interface to configure UEFI variables is removed from the upstream kernel and is deprecated in this release of UEK. Replacement functionality has been present in the kernel since 2012. For more information, see https://www.kernel.org/doc/html/latest/filesystems/efivarfs.html.

  • Firewire driver

    The CONFIG_FIREWIRE option was disabled in Oracle Linux 9. Thus, the Firewire driver is deprecated and unusable in this UEK release.

  • crashkernel=auto option

    The crashkernel=auto option is deprecated and no longer supported on Oracle Linux 9 and therefore unsupported for UEK R7 on Oracle Linux 9. Some platforms, such as the Raspberry Pi have maximum limits for crashkernel memory reservation and these must be specified explicitly. This option will be removed in a future UEK release.

  • Several network scheduler modules

    The following network scheduler modules are deprecated:

    • cls_tcindex
    • cls_rsvp
    • sch_dsmark
    • sch_atm
    • sch_cbq

    These modules might be disabled or blocklisted and can be removed in a future release of UEK. The modules are already removed in the upstream Linux kernel.

  • resilient_rdmaip Module Deprecated

    The resilient_rdmaip module is deprecated in UEK R7. This module will be removed in a future UEK release.

  • SHA-1 Algorithm

    The SHA-1 algorithm is deprecated in UEK R7U3 while in FIPS mode and will be removed in a future UEK release. The SHA-1 algorithm has been retired by National Institute of Standard and Technology (NIST) because the SHA-1 hash algorithm is no longer considered secure. See Oracle Linux release notes for additional details on SHA-1.